Microsoft declines to patch Windows 98 and ME flaw

Migrate or face the security consequences, warns Redmond

Microsoft will not develop a patch for a critical security flaw in Windows 98, Windows 98 Second Edition and Windows Millennium Edition.

The Microsoft MS06-015 vulnerability affects Windows Explorer and could allow an attacker to take control of a system through a specially crafted website.

All Windows versions are vulnerable, but only Windows 2000, XP and Server 2003 have been patched.

“After extensive investigations we found that it is not feasible to make the extensive changes necessary to Windows Explorer on [the] older versions of Windows to eliminate the vulnerability,” Christopher Budd, a security programme manager at the Microsoft Security Response Center, wrote on a company blog.

Fixing the issue on Windows 98 and ME would require a complete overhaul of critical operating system components, he explained, which could cause application compatibility issues.

Users can protect themselves against attacks by blocking all traffic on TCP Port 139 through a perimeter firewall, Microsoft suggested. Windows uses port 139 for file and printer sharing.

Budd added that support for Windows 98 and ME is set to expire on 11 July, meaning that the company will end public support and stop issuing security updates.
At that date users should have upgraded to a newer version of Windows to ensure their online safety.

Data from Net Applications, a maker of site measurement tools, indicates that about three per cent of the world’s computers run Windows 98 and about one per cent are still powered by Windows ME.

Posted in: General

This entry was posted on Tuesday, June 13th, 2006 at 5:15 am and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.